Security Alert: Go 1.24 with OpenSSL Patch Released
What happened
SUSE has released a security update for Go 1.24 with OpenSSL that addresses multiple vulnerabilities. Teams using Go-based microservices or cloud tools are advised to review and update their dependencies to mitigate the known security risks.
Why it matters
This security update for Go 1.24 addresses three distinct vulnerabilities, including a critical code smuggling flaw and a high-severity authentication bypass. The patch is specifically for builds of Go that are linked against OpenSSL, a common practice in enterprise environments like Red Hat Enterprise Linux to meet FIPS compliance for cryptographic modules. One of the most severe issues fixed is CVE-2025-61732, a flaw in how the cgo tool parses comments. This discrepancy between Go and C/C++ comment parsing could allow an attacker to smuggle malicious code into a compiled binary, leading to arbitrary code execution. This type of vulnerability represents a significant supply chain risk, as code that appears benign during a review could contain hidden executable payloads. Another patched vulnerability, CVE-2025-68119, involves the Go toolchain's handling of version control systems like Git and Mercurial. By crafting malicious version strings for a Go module, an attacker could achieve local code execution or write to arbitrary files on a developer's machine during the module download and build process. The update also resolves CVE-2025-68121, a vulnerability in the crypto/tls package. This flaw could allow an authentication bypass during TLS session resumption if certificate authority configurations were changed between the initial connection and the resumption, potentially allowing a client to reconnect without satisfying updated, stricter security policies.
Key numbers
- SUSE has released a security update for Go 1.24 with OpenSSL that addresses multiple vulnerabilities.
- This security update for Go 1.24 addresses three distinct vulnerabilities, including a critical code smuggling flaw and a high-severity authentication bypass.
- One of the most severe issues fixed is CVE-2025-61732, a flaw in how the cgo tool parses comments.
- Another patched vulnerability, CVE-2025-68119, involves the Go toolchain's handling of version control systems like Git and Mercurial.
What happens next
- This discrepancy between Go and C/C++ comment parsing could allow an attacker to smuggle malicious code into a compiled binary, leading to arbitrary code execution.
- This type of vulnerability represents a significant supply chain risk, as code that appears benign during a review could contain hidden executable payloads.
- By crafting malicious version strings for a Go module, an attacker could achieve local code execution or write to arbitrary files on a developer's machine during the module download and build process.
Quick answers
What happened in Security Alert: Go 1.24 with OpenSSL Patch Released?
SUSE has released a security update for Go 1.24 with OpenSSL that addresses multiple vulnerabilities. Teams using Go-based microservices or cloud tools are advised to review and update their dependencies to mitigate the known security risks.
Why does Security Alert: Go 1.24 with OpenSSL Patch Released matter?
This security update for Go 1.24 addresses three distinct vulnerabilities, including a critical code smuggling flaw and a high-severity authentication bypass. The patch is specifically for builds of Go that are linked against OpenSSL, a common practice in enterprise environments like Red Hat Enterprise Linux to meet FIPS compliance for cryptographic modules. One of the most severe issues fixed is CVE-2025-61732, a flaw in how the cgo tool parses comments. This discrepancy between Go and C/C++ comment parsing could allow an attacker to smuggle malicious code into a compiled binary, leading to arbitrary code execution. This type of vulnerability represents a significant supply chain risk, as code that appears benign during a review could contain hidden executable payloads. Another patched vulnerability, CVE-2025-68119, involves the Go toolchain's handling of version control systems like Git and Mercurial. By crafting malicious version strings for a Go module, an attacker could achieve local code execution or write to arbitrary files on a developer's machine during the module download and build process. The update also resolves CVE-2025-68121, a vulnerability in the crypto/tls package. This flaw could allow an authentication bypass during TLS session resumption if certificate authority configurations were changed between the initial connection and the resumption, potentially allowing a client to reconnect without satisfying updated, stricter security policies.
